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\ Abstract. In 1998 Crandall introduced a method based on coding theory to secretly 

?-H ' embed a message in a digital support such as an image. Later Fridrich et al. improved 

this method to minimize the distortion introduced by the embedding; a process called wet 
paper. However, as previously emphasized in the literature, this method can fail during 
the embedding step. Here we find sufficient and necessary conditions to guarantee a 
successful embedding by studying the dual distance of a linear code. Since these results 
are essentially of combinatorial nature, they can be generalized to systematic codes, a 
large family containing all linear codes. We also compute the exact number of solutions 
U: and point out the relationship between wet paper codes and orthogonal arrays. 

> , 1. Introduction 

O _ 

Steganography is the science of transmitting messages in secret, so that no one other 
than the sender and receiver may detect the existence of hidden data. It is reahzed by 
. embedding the information into innocuous cover objects, as digital images. To carry out 

^ this process, the sender first extracts a sequence ci,...,Cn, of n bits from the image, 

e.g. the least significant bits of n pixels gray values. The cover vector c = (ci, . . . , c^) is 
modified according to a certain algorithm for storing a secret message mi, . . . ,771^. Then 
^1 Ci, . . . ,Cn are replaced by modified Xi, . . . ,Xn in the cover image which is sent through 

I the channel. By using the modified vector x the receiver is able to recover the hidden 

information. The embedding and recovering algorithms form the steganographic scheme 
of this system. Formally, a steganographic scheme (or stegoscheme) S of type [n, r] over 
the binary alphabet F2 is a pair of functions (emb,rec). By using the embedding function 
emb : F2 X F2 — )■ F2 the secret message m e F2 is hidden in the cover vector c e F2 as 
X = emb(c, m) and subsequently recovered by the receiver with the recovering function 
rec : F2 — )■ F2 as rec(x) whenever these functions verify that rec(emb(c, m)) = m for all 
c G F^ and m G F^. 
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Steganographic schemes are closely related to error correcting codes. Given a [n, r] stego- 
scheme S, for each m G we consider the code Cm = {x G F2 : rec(x) = m}. Then 
the family {Cm : m G Fg} gives a partition on F2 and for all m G Fg the mapping 
decm : F2 —7- Cm defined by decm(c) = emb(c, m) is a decoding map for the code Cm- 
Conversely let {Cm : m G Fg} be a partition of F2 and for each m G F2 let deCm be a 
minimum distance decoding map of Cm- Consider emb : F2 x Fg — F2 and rec : F2 — )■ Fg 
defined by emb(c,m) = deCm(c) and rec(x) = m if x G Cm- Then S = (emb, rec) is a 
[n, r] stegoscheme. As a consequence, the following objects are equivalent 

• a [n,r] stegoscheme S = (emb, rec); 

• a family {(Cm, deCm) : m G W^} where {Cm : m G Fg} gives a partition of Fg and 
for every m, deCm is a minimum distance decoding map for Cm- 

Since all vectors c and m are in principle equiprobable, it is desirable that all codes Cm 
have the same cardinality. The above equivalence has been extensively exploited to make 
stegoschemes that minimize the embedding distortion caused in the cover. Crandall [5] 
proposed the use of linear codes C and the partition of F2 into cosets {x + C : x G Fg}. 
The obtained method is currently known as matrix encoding. If is a parity check ma- 
trix for C and dec is syndrome decoding (see [24] as a general reference for all facts 
concerning error correcting codes), the obtained embedding and recovering maps are 
emb(c, m) = c — cl{cH^ — m) and rec(x) = xif-^, where cl(z) denotes the leader of the 
coset whose syndrome is z, that is the element of smallest Hamming weight whose syn- 
drome is z . Matrix encoding has proved to be very efficient to minimize the embedding 
distortion in the cover, see [3, 6, 18, 19, 26]. 

To reduce the chance of being detected by third parties, the changeable pixels in the cover 
image should be selected according to the characteristics of the image and the message 
to hide. In this case the recovering of the hidden data is more difficult, since the receiver 
does not know what pixels store information. Wet paper codes are designed to lock some 
components of the cover vector, preventing its modification in the embedding process. 
Mathematically wet paper codes can be explained as follows: imagine we want to embed 
a message m = (mi, . . . , m^) G F2 into a cover vector c = (ci, . . . , c„) G F2 . However, not 
all of coordinates of c can be used for hiding information: there is a set "D C {1, . . . , n} of 
6 > r dry coordinates that may be freely modified by the sender, while the other i = n — 6 
coordinates are wet (or locked) and can not be altered during the embedding process. Let 
W = {1, . . . ,n} \V. The sets V and W are known to the sender but not to the receiver. 
Using the matrix encoding method we set emb(c, m) = x G F2 with 



where H is a r x n matrix of full rank r. Locking positions minimize the possibility 
of detection during transmission but also generates a technical problem, since it is not 
guaranteed the existence of solutions for [S]. A natural question is to ask for the minimum 
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number of dry coordinates (or equivalently, the maximum number of locked coordinates) 
necessary (respectively allowed) to make possible this process. We define the wet threshold 
of H as the minimum number r of dry coordinates such that the system [S] has a solution 
for all c G Fg, m G and W C {1, . . . , n} with #W < n — t. The number of extra 
dry symbols beyond r, t — r is the strict overhead of the system. It is also of interest 
to compute the average overhead 6 — r, where 6 is the average minimum number of dry 
coordinates such that [S] has a solution over all possible choices of H, c, m and W. In 
detail, we want to determine 

(1) necessary and sufficient conditions to ensure that the system [S] has a solution; 

(2) the probability that [S] has a solution for given n,r and 5; 

(3) the average overhead 6 — r to have a solution. 

These problems have already be treated by several authors. Fridrich, Goljan and Soukal 
[7, 9, 8] studied (2) and showed that we can take r = 5 + 0{2~^^^) as 5 — j- oo, which 
gives a first answer to (3). Schonfeld and Winkler [18] treated the particular case of BCH 
codes, giving detailed computer results. Barbier, Augot and Fontaine [1] gave sufficient 
conditions for the existence of solutions by slightly modifying the problem [S] for linear 
codes. The case of Reed-Solomon codes has been treated by Fontaine and Galand in [6]. 
In some of these works the reader may find a study of the embedding efficiency as well as 
some implementation issues. 

The aim of this article is to take another step in this study. We give exact answers to 
the questions (1) in section 2 and (3) in section 3 above, relating the wet threshold and 
overhead to well known parameters of the code having H as parity check matrix, and 
highlighting the role played by the dual distance. The relation with the weight hierarchy 
of codes is studied in section 4. Finally in section 5 we extend the matrix encoding method 
to the broad family of systematic codes, showing the relationship between stegoschemes, 
resilient functions and orthogonal arrays. We show that wet paper codes arising from 
systematic nonlinear codes may behave better than the ones coming from linear codes, in 
the sense that they may require less free positions to ensure the existence of solution. 

2. A NECESSARY AND SUFFICIENT CONDITION FOR THE EXISTENCE OF SOLUTIONS 

Let c, m, H and W as defined in the Introduction and let us study the solvability of the 
linear equation 



Let C be the [n,n — r] linear code whose parity check matrix is H and let G be a generator 
matrix of C. Denote by C"*" the dual of C and by = d{C-^) the minimum distance of 
C"*". For m G Fg, we shall denote by cl(m) a leader of the coset {x G F2 : xiJ^ = m}. 
Since :x.H^ can be interpreted as a syndrome, the system [S] has a solution if there exists 
X G cl(m) +C such that 7r>v(x) = 7r>v(c), where ttw is the projection over the coordinates 
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of W. Equivalently [S] has a solution if and only if 7rw;(c) G 7rw(cl(m) + C). For a matrix 
M with n columns, let Mw be the matrix obtained from M by deleting the columns with 
indexes in V. 

Lemma 2.1. For all cosets y + C, the projections 7ryy(y + C) have the same cardinality, 
#7ryy(y + C) = 2^^'^^('^w). Thus [S] has a solution for general c and m if and only if the 
matrix Gyy has full rank, rank(Gvv;) = i. 

Proof 7rw(y + C) = vr>v(y) + 7rw(C), hence #vrw(y + C) = #7r>v(C) and 7r>v(C) is a 
vector space of dimension rank(Gvv;). For fixed c and m, [S] has a solution if and only if 
7rvv;(c) G 7rw(cl(m) + C). Since #7rw(F2) = 2^, this occurs for all c and m if and only if 
Gw has full rank, rank(Gw) = i. Note that r < 6. □ 

Lemma 2.2. Gyv has full rank if and only if there is no nonzero word ofC^ with support 
contained in W. 

Proof. Since G is a parity check matrix of C"*", a nonzero word in C"*" with support contained 
in W imposes a linear condition on the columns of G>v and conversely. □ 

More generally, if there exist w independent words of with support in W then we have 
rank(Gvv;) = £ — w. This suggests that the weight hierarchy of C also plays a role in the 
study of the solvability of [S]. This study will be conducted later in section 4. 

Theorem 2.3. The system [S] has a solution for arbitrary c G F2 , m G F2 and 
W C {1, . . . ,n} with #W = n — 6, if and only if 5 > n — d-^ + 1. In this case [S] 
has exactly solutions. 

Proof. If 5 > n — c/"*" + 1 then #VV < and no nonzero codeword of has support 
contained in W. Conversely, take a codeword of weight d^ and a set W of cardinality n — b 
containing its support. Then rank(G>v) < n — b and the homogeneous system ifx* = 
has no solution for c such that 7rvv;(c) is not in the subspace 7r>v(C) spanned by the rows of 
Gvv. When rank(Gvv;) = n — then the number of solutions is j^C j j^ixy^iC) = 2^^^. □ 

Then when using a parity check matrix of a [n, n—r] code C, at most n — d-^ + 1 dry symbols 
are needed to embed r information symbols. The wet threshold of C is r = n — c?-*- + 1 
and its strict overhead is n — d^ + 1 — r. Remark that according to the Singleton bound 
applied to we have n — d-^ + 1 > r. The difference n — rf-*- + 1 — r is known as the 
Singleton defect of C"*". Thus, when using a parity check matrix of C to embed information 
via wet paper codes, the strict overhead is just the Singleton defect of the dual code C^. 

Example 2.4. (1) Consider the binary Hamming code of redundancy s and length 
n = 2^ — 1. The dual distance is d^ = 2^~^, hence we can embed s information bits 
into a cover vector of length n with 2'^"^ ^ n/2 dry positions. To see that less dry sym- 
bols are not enough to have solution with certainty, consider a parity-check matrix whose 
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rows are the binary representations of integers 1, . . . , 2'^ — 1. When deleting the last 2*~^ 
columns of H we obtain a matrix whose last row is 0. Note also that the method proposed 
in [1] allows to embed one information bit for n/2 dry positions modifying one bit of the 
cover vector. (2) In general it is not simple to construct codes with bounded Singleton 
defect. An exception are algebraic geometry codes, built from an algebraic curve and two 
rational divisors, see [16]. It is known that the Singleton defect of a code comming from 
a curve X is bounded by the genus of X. Therefore it is possible to construct wet paper 
codes with strict overhead as small as desired. 



3. Computing the overhead 



Our second task is to compute the average overhead m = 5 — r to have a solution for 
random C, W, c and m (according with previous notations). Also we obtain an estimate 
on the probability of having solution. Let us denote by avrank(t, s) the average rank of a 
random t x s matrix M. 

Proposition 3.1. For random C, W, c and m as above, the probability that 6 dry symbols 
are enough to transmit r < S message symbols is 

_ 9avrank(n-r,n-(5)-(ri-(5) 

Proof. The probability that the corresponding system [S] have a solution is 

#7rw(C) 2avrank(Gw) 



p = prob (7ryv;(c) e 7r>v(cl(m) + C)) 



>n— 5 On— 5 



□ 



The function avrank(t, s) can be computed using theorem 3.2 below. The rank properties 
of random matrices have been investigated in coding theory, among other fields, related 
to codes for the erasure channel, see e.g. [22]. As shown in [7, 9], these results allow us 
to give an estimate on the average overhead. Since G>v is a (n — r) x (n — 6) matrix and 
{n — r) — {n — 6) = 6 — r, then m can be seen as the minimum number of extra rows 
beyond n — 6 required to obtain a matrix of full rank. Let t, m be non negative integers 
and Mt+m,t be a random (t + m) x t matrix with m > 0. 

Theorem 3.2. Let Mt+m,t be a matrix where the elements of ¥2 are equally likely. Then 

00 s 

\im prob (rank(Mi+„,i) = t - s) = J] (1-2-^ /2^(^+™) J] (l - 2"^) . 

j=s+m+l j=l 

See [4, 13, 22]. It is known that this formula is very accurate even for small t and m. 
This theorem directly allows us to obtain numerical estimates on the function avrank 
and consequently on the probability that [S] admits a solution for random C, W, c and 
m. These estimates can be found in the literature (see [18] and the references therein) 
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and we will not repeat them here. Also theorem 3.2 can be used to compute the average 
number of extra rows needed to have full rank. Following [22], for any positive m, let 



oo 



Qm= II (1-2-^). 

j=m+l 

According to the theorem, the probability that exactly m extra rows beyond t are 
needed to obtain a [t + m) x t random matrix of full rank is Qm — Qm-i- Since 
Qm-i = ((2™ — l)/2'")(5,n we have Qm — Qm-i = <5m/2'", so the average number of 
extra rows is 

oo oo 

m = ^ m{Q„, - = ^ ^Qm- 

m=l m=l 

This series is convergent as it is upper-bounded by a convergent arithmetic-geometric 
series. Let us remember that from elementary calculus we have Ylm=i — ^/O- ~ 
when |x| < 1. Then 

oo oo 

Em ^ X ^ m 
Qm < > = 2. 

m=l m=l 

A direct computation shows that m = 1.6067... Then the average overhead is 1.6067 and, 
for n large enough, 6 dry bits are enough to transmit r ~ 5 — 1.6 information bits. 



4. Solvability and the generalized Hamming weights 

Let C be a linear [n, n — r] code and let be its dual. The dual distance d,-^ can be 
expressed in terms of C via its weight hierarchy. Let us remember that for 1 < t < n — r, 
the t-th generalized Hamming weight of C is defined as (see [25]) 

dt{C) = min{#supp(L) : L is a t-dimensional linear subspace of C} 

where supp(L) = UxeLSupp(x). The sequence di{C) , . . . , dn-r{C) is the 
weight hierarchy of C. Two important properties of the weight hierar- 
chy are the monotonicity di{C) < d2{C) < ■ ■ ■ < dn-r{C) and the duality 
{di{C),...,dn-r{C)}U{n + l-di{C^),...,n + l-driC^) = {l,...,n}. For sim- 
plicity we shall write di, . . . , dn-r and d^, . . . , d^. If d^-r = n, we define the MDS rank 
of C as the least integer t such that dt = r + t (and consequently dg = r + s for all s >t). 
Note that classical MDS codes are first rank MDS codes. 

Proposition 4.1. IfC has MDS rank t and 5 >t + r — 1, then the corresponding system 
[S] has a solution for arbitrary c G , m G F2 and W C {1, . . . , n} with i^W = n — 6. 



Proof. By the duality property C has MDS rank t = n—r—d +2 hence n—d +1 = t+r—1 
and proposition 2.3 implies the result. □ 
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This proposition leads us to consider codes with low MDS rank. MDS codes, and Reed- 
Solomon codes in particular, were proposed as good candidates in [6]. The main drawback 
of MDS codes is its small length. So, we may consider codes of higher rank, reaching a 
balance between length and security in the existence of solutions. In this sense, algebraic 
geometry codes (defined in example 2.4) can be a good option. It is known that an 
AG code coming from a curve of genus g has MDS rank at most g + 1 — a, where a 
is its abundance, more details in [16]. Yet we find again the problem of the length of 
obtained codes. For example, it has been conjectured that Near MDS codes (codes for 
which d + d^ = n) over Fg have length upper bounded by g + 1 + 2y/q (observe that codes 
arising from elliptic curves are either MDS or NMDS). Another option is to extend the 
ground alphabet. Several strategies have been proposed. One of the more interesting is 
to consider the Justensen construction with algebraic geometric codes [20]. The following 
result extends proposition 2.3 to all generalized Hamming weights. 

Proposition 4.2. If dt > S > r for some t > 6 — r, then rank{G)^) >n — r — t + 1 for 
every set W C {1, . . . , n} with = n — 6. 

Proof. Consider the code Cyy obtained from C"*" by shortening at the positions in V. Since 
Gvv is a parity-check matrix for Cy^, we have rank(Gvv) = n— 5— dim(Cyy). If d^ > n—6+1 
then it holds that dim(C-jj^) < t — 1, hence rank(Gw;) > n — 6 — t + 1. Assume dt > S. 
Then n — dt + 1 < n — 6 + 1, and by the duality and monotonicity properties, the interval 
[n — 5 + l,n] contains at least 6 — t + 1 terms of the weight hierarchy of C"*". Thus 
d^-s+t > n — 6 + 1 and we get the statement. □ 

5. A GENERALIZATION TO SYSTEMATIC CODES 

In this section we extend the matrix embedding construction, and the wet paper method in 
particular, to the wide family of systematic codes. We show that stegoschemes based on 
these codes are handled essentially in the same manner as in the case of linear codes. 
The use of systematic codes was suggested by Brierbauer and Fridrich in [3], where 
stegoschemes arising from the Nordstrom- Robinson codes are treated in some detail. Here 
we go deeper into this study, showing the relationships between stegoschemes, orthogonal 
arrays and resilient functions. We pay special attention to the analogue of proposition 
2.3, showing its combinatorial nature. 

5.1. Systematic codes. Let us remember that for a set W C {1, . . . , n} with u = 4H^i we 
denote by tiu '■ F2" — j- F2" the projection on the coordinates oiU. If V = {1, . . . , n} \ W, 
we shall write a vector x G as x = (u, v), where u = nui^) G ^"^^ ^ — ^v(x) G F2, 
V = n — u. A code C of length n is systematic if there exist u positions that carry the 
information. More formally, given a set W C {1, . . . ,?t,}, we say that C is systematic at 
the positions ofU (or simply systematic when the set lA is understood) if for every u G F2 
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there exists one and only one codeword x G C such that itu(x.) = u. Up to reordering of 
coordinates we can always assume that U = {!,...,«} and V = {m + 1, . . . , n}. 

If C is systematic then #C = = 2". We say that C is a [n, u] code. Clearly every [n, u] 
linear code is systematic of dimension u hence this notation is consistent. Thus systematic 
codes generalize linear codes. However the family of systematic codes is much greater than 
the family of linear codes (apart from the advantage of being defined over alphabets other 
than fields). To see that note that it is fairly simple to construct a systematic code C: 
just complete each vector in to a vector in Fg. This completion induces a generator 
function (T = ac : F^ -> F^"" defined to C = {(u, a(u)) : u e F^}. Then C is linear if and 
only if so is a. In this case there exists a m x {n — u) matrix E such that o"(u) = uE. Then 
(J„, S) is a generator matrix for C and consequently H = (— S^, is a parity-check 
matrix of C. Since every map F2 ¥2 can be written as a reduced polynomial, the 
components ai, . . . , cr„_„ of cr are square free reduced polynomials in variables Xi, . . . , 

The family of systematic codes contains some nonlinear codes having excellent parameters. 
Among these we can highlight the Preparata, Kerdrock, Nodstrom-Robinson and many 
others. Some of them have also efficient decoding systems (which is the main drawback 
of nonlinear codes). Other well known example is the following. 

Example 5.1. The Nadler code A/" is a [12,5] systematic nonlinear code with covering 
radius p = 4 and minimum distance d = 5, [17]. JV contains twice as many codewords as 
any linear code with the same length and minimum distance, see [24]. Among the current 
practical applications of J\f we can mention its use for the decoder module of SINCGARS 
radio systems [10]. The combinatorial structure of A^ was shown by van Lint in [23]; 
following this article, the 32 codewords of A/" are shown in Table 1. 



Oil 100 100 100 

101 010 010 010 

110 001 001 001 

100 Oil 100 100 

010 101 010 010 

001 110 001 001 

100 100 oil 100 

010 010 101 010 

001 001 110 001 

100 100 100 oil 

010 010 010 101 

001 001 001 110 



111 010 100 001 

111 001 010 100 

111 100 001 010 

010 111 001 100 

001 111 100 010 

100 111 010 001 

100 001 111 010 

010 100 111 001 

001 010 111 100 

001 100 010 111 

100 010 001 111 

010 001 100 111 



oil oil oil oil 

101 101 101 101 

110 110 110 110 
000 111 111 111 

111 000 111 111 
111 111 000 111 
111 111 111 000 
000 000 000 000 



Table 



The 32 codewords of 



the Nadler code 
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It is not hard to check that this code is systematic at positions 1,2,4,7, 10. Besides the 
exhaustive enumeration given in Table 1, M can be described by the function a. Up to 
reordering of coordinates so that is systematic at positions 1, . . . , 5, we have 



0-6 


= Xi + X2 + X3 + {Xi + X5){X3 + X4) 


a^ 


= Xi + X2 + X4 + {Xi + X3){X4 + X5) 


erg 


= Xi + X2 + X5 + {Xi + X4){Xs + Xr,) 


erg 


= X2+ Xs+ Xi + X1X4 + + X5X1 




= X2 + Xs + X5 + X1X3 + XsXi + X4X1 




= Xi + X4 + X5 + X1X3 + X3X5 + X5X1 


(7l2 


= Xi + X2 + X3 + Xi + X5 + X3X4 + X4X5 + X5X3 



In order to construct a stegoscheme from a systematic code, we need a partition of F2 
and a family of decoding maps, one map for each element of the partition. 

Proposition 5.2. Let C be a [n,u] systematic code. Then the sets (0,v) + C, v G F2~", 
are pairwise disjoint and hence the family ((0, v) + C : v G Fg"**) is a partition o/Fg. 

Proof. If (0,vi) + Ci = (0,V2) + C2 for some Vi,V2 G Fa^" and Ci,C2 G ¥'.^, then 
7r^/(ci) = 7rw((0, vi) + ci) = 7rw((0, V2) + C2) = ttu{c2)- Then Ci = C2 and consequently 

Vi = V2. □ 

In general the translates x + C are not pairwise disjoint when x runs over the whole space 
F2. In that case these sets do not give a partition of Fg and they are not useful for 
decoding purposes. Anyway the partition given by proposition 5.2 allows us to define 
a syndrome map s : F2 — ?■ F2~" as follows: define s(x) = v if x G (0,v) + C. The 
systematic property leads us to compute s(x) efficiently: if x = (u, w) then we can write 
(u, w) = (u, cr(u)) + (0, s(x)) and hence s(x) = w — cr(u). If a is a linear map, and hence 
the code C is linear, then s(x) = xif-^ is the usual syndrome for linear codes. 

A decoding map for a general code C C Fg is a mapping dec : F2 — ?■ C such that for every 
X G F2 , dec(x) is the closest word to x in C. If more than one of such words exists, simply 
choose one of them at random. 

Proposition 5.3. Let C C Fg 6e a systematic code and z G F2 . //dec is a decoding map 
for C then deCz;(x) = z + dec(x — z) is a decoding map for the code z + C. 



Proof. Clearly deCz(x) G z + C. If there exists z + c G z + C such that 
(i(x, z + c) < (i(x, deCz(x)), then (i(x — z,c) < (i(x — z,dec(x — z)), which contradicts 
that dec is a decoding map for C. □ 
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5.2. Stegoschemes from systematic codes. Let C be a [n,n — u] systematic code and let dec 
be a decoding map for C. According to propositions 5.2 and 5.3, we obtain a stegoscheme 
iS = S{C) from C, whose embedding and recovering maps are 

emb : x ^ , emb(c, m) = dec(o,ni)(c) = (0, m) + dec(c - (0, m)) 

rec : F^ ^ , rec(x) = s(x). 

By definition of syndrome it holds that rec(emb(c, m)) = s(dec(o,m)(c)) = m for all c G Fj 
and m G Fg. Compare this with the usual expression emb(c, m) = c — cl{cH^ — m) for 
linear codes. We note that to perform this embedding it is necessary to have a table with 
all syndromes and cosets leaders, even if the decoding map used does not require them. 
Therefore, the systematic formulation can be useful even using linear codes. 

Let us study the parameters of S{C) in relation with those of C. The cover length is n and 
the embedding capacity r = u. To compute its embedding radius and average number 
of embedding changes we first need to recall some concepts from coding theory. Given 
a general code D, its covering radius is defined as the maximum distance from a vector 
X e F^ to D, p{V) = max{c/(x, D) : x G F^}, where d(x, V) = min{rf(x, c) : c G V}. The 
average radius of V, p(T>) is the average distance from a vector x G F2 to V 

If V is linear then both parameters can be obtained from the coset leader distribution of 
V, that is the sequence ao, ■ ■ ■ , an, where ai is the number of coset leaders of weight i. 
Clearly < ("). When i <t = [{d{V) - 1)/2J then all vectors of weight i are leaders 
hence we get equality, ai = ("). For i > t the computation of ai is a classical problem, 
considered difficult. For nonlinear V the coset leader distribution may be generalized to 
the distribution of distances to the code, defined as 

a, = ^#{xGF^d(x,P) = ^} 

If V is linear then both definitions of aj's coincide. A similar reasoning as above shows 
that the property a^ < (") with equality when i <t = \_{d(T>) — l)/2j remains true for 
all codes. The covering radius of V is the maximum i such that at ^ and the average 
radius is given by 

j=0 

If C is [n, n — u] systematic, then for all v G Fg and x G F2 we have 
(i(x, (0, v) + P) = (i(x - (0, v), "D). Thus all the translates ((0, v) + P : v G F^) have the 
same distribution of distances to the code and hence the same average radius and cov- 
ering radius. As a consequence we have the following result, which is well known for 
stegoschemes comming from linear codes. 
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Proposition 5.4. LetC be a [n,n — u] systematic code and let S the stegoscheme obtained 
from C. Then the embedding radius of S is the covering radius ofC and the average number 
of embedding changes RaiS) is the average radius of C. 

Proof. By definition of decoding map, the number of cfianges when embedding a message 
m into a vector x is (i(x, emb(x, m)) = (i(x — (0, m), C) and both statements hold. □ 

Example 5.5. The Nadler code of Example 5.1 is 2-error correcting, hence ao = 1, 
«! = 12, a2 = 66. Other values of a are obtained by computer search: 0:3 = 46, 04 = 3, 
and Q!j = for i = 5, ... ,12. Then /o(A^) = 2.296875. The stegoscheme derived from TV 
allows to embed 7 bits of information into a cover vector of 12 bits, by changing 2.296875 
of them on average and 4 of them at most. 

5.3. Stegoschemes, resilient functions and orthogonal arrays. Systematic codes allows us 
to make a connection of stegoschemes with two objects of known importance in informa- 
tion theory: resilient functions and orthogonal arrays. A function / : — is called 
t-resilient for some integer t < n, if for every T C {1, . . . , n} such that t^T = t and every 
t e F2, all possible outputs of /(x) with vr7-(x) = t are equally likely to occur, that is if 
for all y G F2 we have 

prob(/(x) = y | 7rr(x) = t) = ^ 

(see the relation to recovering maps of stegoschemes). Resilient functions play an impor- 
tant role in cryptography, and are closely related to orthogonal arrays [21]. An orthogonal 
array OAx{t,n) is a A2* x n array over F2, such that in any t columns every one of the 
possible 2* vectors of F2 occurs in exactly A rows. A large set of orthogonal arrays is a set 
of 2"~*/A arrays OA\(t,n) such that every vector of Fg occurs once as a row of one OA 
in the set. Then, by considering the rows of these arrays as vectors of Fg, a large set of 
OA gives a partition of Fg, see [21]. 

There is a fruitful connection between orthogonal arrays and codes, see [14] Chapter 5, 
section 5. If C is a linear [n, n — r] code then, according to proposition 2.3, the array 
having the codewords of C as rows is an OA^„_r_^^+^{d-^ — l,ri). Delsarte observed that 
a similar result holds also for nonlinear codes. Of course if C is not linear then the dual 
code does not exist, but the dual distance can be defined from the distance distribution 
of C via the dual transforms as follows [14] : The distance distribution of C is defined to 
be the sequence Aq, . . . , where 

A = ^#{(x,y)GC2:rf(x,y) = z} 
z = 0, . . . , n. The dual distance distribution of C is , . . . , A-^, where 

n 
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and Ki{x) is the i-th Krautchouk polynomial 




If C is linear then Aq, . . . ,A:^ is the distance distribution of C"*". If C is [n,n — u] sys- 
tematic, then the array having the codewords of C as rows is an OA^„_^_^±+i{d-^ — 1, n). 
Furthermore in this case all the translates (0, v) + C have the same distance distribution 
and hence the same dual distance. 

Proposition 5.6. Let C be a systematic [n,n — u] code with generator function a and 
dual distance d^ . For any v G let he the array having the words of (0, v) + C as 
rows. Then 

(a) The set {M^ \ v G Fg} is a large set of OA:^„^^_a±+i{d^ — l,n). 

(b) The syndrome map s(u, w) = w — o"(u) is an {d^ — 1) -resilient function. 

Proof. Let T C {1, . . . ,n} with #T = d-^ — 1 and t G Fg. (a) According to Delsarte's 
theorem, every one of the possible 2* vectors t occurs in exactly 2"""""^ """^ rows of ir-j-^C). 
Then the same happens in each of the translates (0, v) + C. (b) As a consequence of (a), 
all possible outputs of s(x) with 7r7-(x) = t are equally likely to occur, [21]. □ 

5.4. Locked positions with systematic codes. Let us return to the problem of embedding 
with locked positions. Let c G Fg be a cover vector and m G Fg be the secret we want 
to embed into c. There is a set W C {1, . . . , of n — 6 locked positions that cannot be 
altered during the embedding process. Consider a systematic [n, n — u] code C and let s 
be the syndrome of C defined in section 5.1. As in the case of linear codes, the embedding 
is obtained as a syndrome, emb(c, m) = x with 



Also as in the case of linear codes we can ask for the minimum possible number of dry 
(free) positions required to ensure a solution of [SS], the wet threshold of C. Such a 
solution exists if and only if 7r>v(c + (0,m)) G 7iy\!{C). In that case, if y G C verifies 
''i"w(y) = 7r>v(c + (0, m)), then x = y + (0, m) is a solution. 

Proposition 5.7. If 6 > n — d^ + 1 then the system [SS] has a solution for all c G F2 , 

m G F^ and W C {1, . . . ,n} with #>V = n - 6. In this case, [SS] has exactly 2'^"" 
solutions. 

Proof. There exists a solution all c G Fg, m G F2 and W C {1, . . . ,n} if and only if 
7rw(C) = F2~''. The statement follows from Delsarte's theorem and proposition 5.6. □ 
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Thus the threshold verifies t < n — d + 1. If we compare this resuh with theorem 2.3, 
we can see a significant difference: in that case the condition 6 > n — d-^ + 1 was also 
necessary. This is due to the existence of dual when the code C is linear. If C is systematic 
but not linear, then such dual does not exist and it may happen t < n — d^ + 1 so that 
we need less free coordinates than the required in the linear case. Let us see an example 
of this situation. 

Example 5.8. The Nadler code has distance distribution 1, 0, 0, 0, 0, 12, 12, 0, 3, 4, 0, 0, 
and dual distance distribution 1,0,0,4,18,36,24,12,21,12,0,0. In particular d^ = 3. 
When using this code for wet paper purposes, the corresponding system [SS] has a solution 
with certainty when the number of locked coordinates is < d"*" — 1 = 2, according to 
proposition 5.7. A direct inspection shows that for any 4 columns of A/", every one of the 
possible 2^ vectors of occurs. According to the Bush bound [11] this is the maximum 
possible number of columns for which this can happen. Then the system [SS] has a 
solution with certainty when the number of locked coordinates is at most 4. Remark that 
the minimum distance of a [12, 7] linear code is 4, see [15], hence the maximum number 
of coordinates we can lock using linear codes with the same parameters as N' is 3. 

The above proposition 5.7 and example 5.8 suggest the use of nonlinear systematic codes 
as wet paper codes. The main drawback of using these codes is in the computational 
cost of solving [SS]. Solving a system of boolean equations is a classical and important 
problem in computational algebra and computer science. There exist several methods 
available, some of which are very efficient when the number of variables is not too large, 
see [2, 12] and the references therein. Anyway the computational cost of solving [SS] is 
always greater than that of solving a system of linear equations. In conclusion, the use of 
nonlinear systematic codes can be an interesting option when the added security gained 
through a greater number of locked positions offsets the increased computational cost. 

6. Conclusion 

We have obtained necessary and sufficient conditions to make sure the embedding process 
in the wet paper context. These conditions depend on the dual distance of the involved 
code. We also gave a sufficient condition in the general case of systematic codes and 
provided the exact number of solutions. Finally, we showed that systematic codes can be 
good candidates in the design of wet paper stegoschemes. 
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